We recently had another public preview related to Azure AD Domain Services, a really nice and cool feature. We’ve talked already in this blog about Azure AD Domain Services, just do a search in this blog to find articles related to that. With Azure AD Domain Services you can have managed AD domain services like domain join, group policy, LDAP, and Kerberos/NTLM authentication, and all those services are fully compatible with Windows Server Active Directory.
But what is Azure Resource Manager? Azure Resource Manager provides a consistent management layer for the tasks you perform through Azure PowerShell, Azure CLI, Azure portal, REST API, and development tools. You can learn more about Azure Resource Manager. The resource manager deployment model is widely used across Azure and is now the preferred way to deploy new Azure workloads.
Do not also forget to check a recent article here, related to the new Azure AD Admin UX, which provides a new great experience.
This public preview allows you to create new managed AD domains in virtual networks that were provisioned using Azure Resource Manager. This public preview release makes deployment of Azure AD Domain Services much easier.
So let’s see how it works:
1. You need to enable Azure AD Domain Services for your Azure Active Directory Environment. Check here for instructions on how to do it. When you create your new managed domain, make sure to select ‘Resource Manager’ as the virtual network type.
2. If you’ve already enabled Azure AD Domain Services for your Azure directory, you have an existing managed AD domain enabled in a classic virtual network, so we need to change that. From this point, you have 2 options:
- If the existing managed AD domain is a production instance, you won’t be able to use this preview. The Azure AD Team works on a migration feature that will allow you to migrate your managed AD domain from the classic virtual network to a Resource Manager virtual network, without deleting the managed AD domain. We should expect this to be available in public preview before the end of December 2017.
- If the existing managed AD domain is a test instance, you can disable Azure AD Domain services for the directory. You can then create a new instance and select a Resource Manager-based virtual network.
Note: If you are using Azure AD Domain Services in a classic virtual network for production purposes, do not disable Azure AD Domain Services. You will lose state within the managed AD domain, such as domain joined computers, any custom OUs you’ve created, and objects within them. The migration process of existing managed AD domains from classic virtual networks to resource manager virtual networks will be supported (as the Azure AD Team says) later this year.
The screenshot below shows you how to do it, please note the type of virtual network:
Remember that this feature is still in public preview and not generally available. It seems that the Azure AD Team needs to do a few more things before that:
Default setting for resource manager virtual networks: This public preview release defaults to using resource manager-type virtual networks when you create a new managed AD domain. During the public preview, you’ll be able to choose classic virtual networks while creating a new managed AD domain. But, when support for resource manager virtual networks becomes generally available, you won’t be able to create new managed AD domains in classic virtual networks anymore. Resource manager-based virtual networks will be the only supported deployment model for newly created managed AD domains.
Migration process for existing managed AD domains: The Azure AD Team plans to support a migration process for existing managed AD domains, so you can easily switch from a classic virtual network to a resource manager-based virtual network. They promised to give us more details on that process in the coming weeks.
Thanks for your time!